Roku users are urged to check their accounts for unauthorized access or purchases, as the company has disclosed a data breach impacting over 15,000 accounts.
Roku disclosed the data breach on Friday, March 11, stating that 15,363 accounts were hacked in a credential stuffing attack, where reused email addresses and password credentials from another leak were used to access Roku accounts.
However, the Roku accounts were not only breached but also sold for as little as $0.50 per account, according to a report by BleepingComputer.
- "A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers," reported BleepingComputer. "Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents.
Weak Roku security
While attempts at credential stuffing attacks are common, Roku's weak security measures have reportedly made it possible to access accounts and use the credit card on file to purchase media or hardware such as Roku cameras, remotes, soundbars, or streaming boxes.
According to BleepingComputer, Roku does not support two-factor authentication either.
Roku is the leading TV platform in the US ahead of Amazon's FireTV, Samsung's Tizen, and Android TV. Weak security in Smart TVs is problematic as credit cards and personal data are on file. Some Smart TVs are also connected to smart home devices such as cameras.
Apparently, the company's new 'Dispute Resolution Terms' that block the Roku device until a user agrees not to sue the company are in part related to the ongoing credential stuffing attacks, according to a source.
Roku said that it has reset the password of affected accounts and in some cases refunded customers for fraudulent purchases. Affected customers must visit the Roku website and click 'forgot password'.
- Source: Roku disclosure, BleepingComputer
